mirror of
https://github.com/ivuorinen/hiha-arvio.git
synced 2026-01-26 03:14:00 +00:00
Ismo Vuorinen
76b48f1ef7
- Add least-privilege permissions to all GitHub Actions jobs - Fixes 8 CodeQL security findings (actions/missing-workflow-permissions) - Build jobs: contents:read, actions:write - Release job: contents:write, actions:read - Test job: contents:read, checks:write, actions:write - Status jobs: no permissions needed Follows principle of least privilege and GitHub Actions security best practices.
92 lines
2.6 KiB
YAML
92 lines
2.6 KiB
YAML
name: Build
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
build-ios:
|
|
name: Build iOS
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: read
|
|
actions: write
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
|
|
with:
|
|
dotnet-version: '8.0.x'
|
|
|
|
- name: Restore workloads
|
|
run: dotnet workload restore src/HihaArvio/HihaArvio.csproj
|
|
|
|
- name: Build iOS
|
|
run: dotnet build src/HihaArvio/HihaArvio.csproj -f net8.0-ios -c Release /p:ArchiveOnBuild=false /p:EnableCodeSigning=false
|
|
|
|
- name: Upload iOS build artifacts
|
|
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
|
with:
|
|
name: ios-build
|
|
path: |
|
|
src/HihaArvio/bin/Release/net8.0-ios/**/*.app
|
|
src/HihaArvio/bin/Release/net8.0-ios/**/*.ipa
|
|
retention-days: 7
|
|
|
|
build-maccatalyst:
|
|
name: Build macOS Catalyst
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: read
|
|
actions: write
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
|
|
with:
|
|
dotnet-version: '8.0.x'
|
|
|
|
- name: Restore workloads
|
|
run: dotnet workload restore src/HihaArvio/HihaArvio.csproj
|
|
|
|
- name: Build macOS Catalyst
|
|
run: dotnet build src/HihaArvio/HihaArvio.csproj -f net8.0-maccatalyst -c Release /p:ArchiveOnBuild=false /p:EnableCodeSigning=false
|
|
|
|
- name: Upload macOS build artifacts
|
|
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
|
with:
|
|
name: maccatalyst-build
|
|
path: |
|
|
src/HihaArvio/bin/Release/net8.0-maccatalyst/**/*.app
|
|
src/HihaArvio/bin/Release/net8.0-maccatalyst/**/*.pkg
|
|
retention-days: 7
|
|
|
|
build-status:
|
|
name: Build Status
|
|
runs-on: ubuntu-latest
|
|
needs: [build-ios, build-maccatalyst]
|
|
if: always()
|
|
permissions: {}
|
|
|
|
steps:
|
|
- name: Check build status
|
|
run: |
|
|
if [[ "${{ needs.build-ios.result }}" == "success" ]] && [[ "${{ needs.build-maccatalyst.result }}" == "success" ]]; then
|
|
echo "✅ All builds succeeded"
|
|
exit 0
|
|
else
|
|
echo "❌ One or more builds failed"
|
|
echo "iOS: ${{ needs.build-ios.result }}"
|
|
echo "macOS Catalyst: ${{ needs.build-maccatalyst.result }}"
|
|
exit 1
|
|
fi
|